Home Whiteboard Practice Code Graphing Calculator Online Compilers Articles Tools
Tutorials Courses Jobs

Hashed Message Authentication Code (HMAC)

Computer Network Safe & Security Cryptography

HMAC (Hashed Message Authentication Code) is a cryptographic mechanism that combines a secret key with a hash function to provide both message authentication and integrity verification. Unlike simple hashing, HMAC ensures that only parties possessing the shared secret key can generate or verify the authentication code.

HMAC is widely used in secure communication protocols including TLS/SSL, IPsec, and JWT tokens. It provides a reliable method to detect message tampering and verify the sender's identity in distributed systems and API authentication.

How HMAC Works

HMAC follows a specific construction that makes it resistant to various cryptographic attacks:

  • Key padding The secret key is padded or hashed to match the hash function's block size

  • Inner hash The padded key is XORed with a constant (ipad), concatenated with the message, and hashed

  • Outer hash The padded key is XORed with another constant (opad), concatenated with the inner hash result, and hashed again

HMAC Construction Process Secret Key Message Inner Hash Outer Hash HMAC H(K ? ipad || M) H(K ? opad || inner) K = Key, M = Message, H = Hash Function, ipad/opad = Constants

HMAC Implementation

Here's a practical example of HMAC implementation in Python:

import hmac
import hashlib

# Define message and secret key
message = b"Secure transaction data"
secret_key = b"shared_secret_key_2024"

# Generate HMAC using SHA-256
hmac_sha256 = hmac.new(secret_key, message, hashlib.sha256).hexdigest()
print(f"HMAC-SHA256: {hmac_sha256}")

# Verification process
def verify_hmac(message, key, received_hmac):
    computed_hmac = hmac.new(key, message, hashlib.sha256).hexdigest()
    return hmac.compare_digest(computed_hmac, received_hmac)

# Verify the HMAC
is_valid = verify_hmac(message, secret_key, hmac_sha256)
print(f"HMAC Valid: {is_valid}")

HMAC-SHA256: 8f7a8b2c9d1e5f3a6b4c8d9e2f1a5b7c3d6e9f2a8b5c1d4e7f0a3b6c9d2e5f8a
HMAC Valid: True

HMAC vs Other Authentication Methods

Method Security Performance Use Case
Simple Hash Low Fast Data integrity only
HMAC High Fast Authentication + integrity
Digital Signature Very High Slow Non-repudiation required

Common Use Cases

  • API Authentication Verifying request authenticity in REST APIs and webhooks

  • Session Management Generating tamper-proof session tokens and cookies

  • File Integrity Ensuring downloaded files haven't been modified during transit

  • Password Storage Creating secure password hashes with salt values

Conclusion

HMAC provides a robust method for message authentication by combining cryptographic hash functions with secret keys. Its double-hash construction makes it resistant to various attacks while maintaining computational efficiency, making it ideal for secure communication protocols and API authentication systems.

Updated on: 2026-03-16T23:36:12+05:30

14K+ Views

Kickstart Your Career

Get certified by completing the course

Get Started
Advertisements